Investigating the new PowerPoint issue

Investigating the new PowerPoint issue

This afternoon, we posted Security Advisory 969136 describing a new vulnerability in PowerPoint while parsing the legacy binary file format. Unfortunately, we discovered this vulnerability being used to deploy malware in targeted attacks. We expect this blog post will:

Help you protect your organization from being exploited, and

Help you analyze suspicious PowerPoint files.

The malware samples we have seen exploiting this vulnerability are the first reliable exploits we have seen in the wild that infect Office 2003 SP3 with the latest security updates. Office 2003 SP3 (released Sept 2007) had a good run being safe from the bad guys but we missed this bug while back-porting fixes found in the Office 12 fuzzing effort to Office 2003 SP3. SP3 was a massive security push that we recommend all Office 2003 customers apply (this vulnerability notwithstanding).

There are a couple workarounds you can apply in your environment to protect yourself from potential attacks using this vulnerability. First, the vulnerable code cannot be reached by PowerPoint files in the newer XML file format. If your environment has mostly already migrated to using PPTX, you can temporarily disable the binary file format in your organization using the FileBlock registry configuration described in the security advisory. Alternatively, you can temporarily force all legacy PowerPoint files to open in the Microsoft Isolated Conversion Environment (MOICE). The steps to enable MOICE are listed in the advisory. In addition to the defense-in-depth sandbox MOICE uses during the conversion, the PowerPoint converter is not vulnerable to this bug so it is safe to use MOICE to "wring out" the unsafe record configuration.

Finally, we wanted to share some tricks to analyze exploits we have seen for this vulnerability. If you have access to any of the samples listed in the MMPC blog post, you can follow along with this mini tutorial to extracting trojans from targeted attacks. This is a dynamic analysis method that does not even require you to recognize assembly. However, you will need a vulnerable version of Office (Office 2003 SP3 in this case) and WinDbg.

Start by setting the Image File Execution Option to set a default debugger for “POWERPNT.EXE”:

This causes the relevant parameters from CreateFile, LoadLibrary, and WinExec to be printed out as they are called. This way, we will be able to see which files the exploit creates, with complete path. Eric Landuyt from DataRescue employed this method to analyze a piece of malware (Hi Eric!). In our scenario, we apply it to shellcode. We also set a breakpoint on “WinExec” because we know that this particular shellcode will use WinExec to execute the trojan file. Sometimes shellcode uses CreateProcess instead. It is important to note that we did not put a “g” for the WinExec breakpoint because we do not want it to execute. We just want the path. To continue the process, hit “g” to let PowerPoint execute. Now, you will see a lot of messages coming up on the screen because PowerPoint actually uses CreateFile/LoadLibrary for legitimate purposes; the shellcode will use it too, but it will be towards the end. Here is an example output:

It is easy to see from the output where the trojan was placed. You are at a breakpoint now so you can safely grab the malicious EXE file and perform whatever analysis you'd like.

Sure enough, ~AC0810.TMP is a malicious PE binary:

You can apply this same fast, simple, generic technique in analyzing EXE malware, PDF, IE, and other types of exploits. Let us know if you have feedback or other analysis techniques you would like to share.

- Bruce Dang and Jonathan Ness, MSRC Engineering

*Postings are provided "AS IS" with no warranties, and confers no rights.*

Update (April 3, 2009): Minor edit to the LoadLibrary breakpoint commands. Thank you to Julio Auto for pointing this out.